[Samba] Questions about adding a DC

Rowland Penny rpenny at samba.org
Mon Jun 18 19:03:41 UTC 2018 

On Mon, 18 Jun 2018 14:42:12 -0400 (EDT)
me at tdiehl.org wrote:

> On Mon, 18 Jun 2018, Rowland Penny via samba wrote:
> 
> > On Mon, 18 Jun 2018 11:42:05 -0400 (EDT)
> > Tom Diehl via samba <samba at lists.samba.org> wrote:
> >
> >> Hi,
> >>
> >> In reading
> >> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller
> >> it says "If the other DCs are Samba DCs and were provisioned with
> >> --use-rfc2307, you Should add --option='idmap_ldb:use rfc2307 =
> >> yes' to the join command"
> >>
> >> So does this mean that rfc2307 should not be used if the other DCs
> >> are MS DCs? Does the answer change if the ultimate goal is to
> >> decommission the MS DCs?
> >
> > Do you have any Unix clients or do have an intention of either using
> > the Samba DC as a fileserver, or adding any Unix domain members ?
> >
> > If you do, then add the line to any Samba DC's, if not then you can
> > ignore it.
> 
> There are no Unix clients today but the plan is to add them once the
> Samba DC is up and running. So if I understand you correctly, I
> should add rfc2307 attributes so that I have them available when we
> provision the member server. Then on the member server add something
> like the following to the smb.conf: idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:unix_nss_info = yes
> idmap config SAMDOM:range = 10000-999999
> 
> This will also necessitate adding unix attributes to the user
> accounts.

Not exactly, if the Samba AD DC is only going to be used for
authentication, then you could use the winbind 'rid' backend on Unix
domain members, this way you don't have to add anything to AD.

> 
> Does this sound reasonable?
> 
> >>
> >> In addition,
> >> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings
> >> states that "you must Create a hot-backup of
> >> the /usr/local/samba/private/idmap.ldb file on the existing DC:"
> >> and import into the new DC.
> >>
> >> If The existing DC is an MS DC, how do I accomplish this step?
> >
> > You cannot, because a windows DC will not have that file. There is a
> > problem (or is it a feature ?) with idmap.ldb on Samba DC's, they
> > can, and most probably will, return different ID's from each other.
> > So for Sysvol, you must copy idmap.ldb from the first Samba DC to
> > any other Samba DC's
> 
> So is it safe to just ignore this part until I add a 2nd Samba DC or
> is there something special I need to do to get the ID's to match when
> one of the DC's is an MS DC?

Windows uses SID-RID's to identify users, groups and computers, so you
do not need to do anything for Windows and a Samba AD DC to know who
an ID is. However, for Sysvol, Samba maps Windows ID's to Unix ID's in
idmap.ldb . So, yes, it is safe to ignore that part until you add
another Samba AD DC.

Rowland

More information about the samba mailing list